Privacy enforcement via localized personalization

ABSTRACT

This disclosure is directed to privacy enforcement via localized personalization. An example device may comprise at least a user interface to present content. A message may be received into a trusted execution environment (TEE) situated within the device or remotely, the message including at least metadata and content. The TEE may determine relevance of the content to a user based on the metadata and user data. Based on the relevance, the TEE may cause the content to be presented to the user via the user interface. In one embodiment, the TEE may be able to personalize the content based on the user data prior to presentation. If the content includes an offer, the TEE may also be able to present counteroffers to the user based on user interaction with the content. The TEE may also be able to cause feedback data to be transmitted to at least the content provider.

PRIORITY APPLICATION

This application is a continuation of U.S. application Ser. No.15/039,021, filed May 24, 2016, which is a U.S. National StageApplication under 35 U.S.C. 371 from International Application No.PCT/US2013/077653, filed on Dec. 24, 2013, published as WO 2015/099697,all of which are incorporated herein by reference in their entirety.

TECHNICAL FIELD

The present disclosure relates to data security, and more particularly,to a scheme for allowing message reception, personalization,interaction, etc. while protecting personal data.

BACKGROUND

Electronic communication has become well-integrated in various aspectsof modern society. A user may not simply benefit from being able toaccess different types of content using various devices at virtually anytime, but this convenience may develop into reliance. This level ofattention to a particular information source may be attractive tocertain content providers. For example, governmental entities maybroadcast important information to their constituents, educationalinstitutions may provide information to students and parents, and ofcourse, business concerns may seek to deliver advertisements and similarcontent to potential consumers. These institutions may not desire toindiscriminately blanket all existing devices with a variety ofmessages. In addition to the potential to alienate their target audiencewith a barrage of irrelevant information, the additional traffic flowingthrough wired and/or wireless communication mediums may causeperformance issues that may further enrage the audience they wish tocapture. Thus, many content providers attempt to direct theircommunications to specific parties that may have interest in the contentor in products advertised in the content.

In tailoring content delivery to certain audiences, content providersmay require some information about the people using these devices.However, users may desire the ability to exercise control over how theirpersonal information is disseminated (e.g., to guard against beingoverwhelmed by an avalanche of offers, advertisements, etc.). Moreimportantly, as users become more reliant upon their various electronicdevices, there is a correspondingly increasing concern about privatedata getting into the wrong hands. For example, users may store a largeamount of private information on their devices including data thatidentifies the user, where the user lives, where the user works, theuser's medical conditions, the user's financial accounts, the user'srelatives, friends, etc. The fear of this information possibly beingobtained by people having mischievous or even criminal intentions maycause users to resist receiving content that they may otherwise haveenjoyed or otherwise benefited from.

BRIEF DESCRIPTION OF THE DRAWINGS

Features and advantages of various embodiments of the claimed subjectmatter will become apparent as the following Detailed Descriptionproceeds, and upon reference to the

Drawings, wherein like numerals designate like parts, and in which:

FIG. 1 illustrates an example system configured for privacy enforcementvia localized personalization in accordance with at least one embodimentof the present disclosure;

FIG. 2 illustrates an example configuration for a device in accordancewith at least one embodiment of the present disclosure;

FIG. 3 illustrates an example message in accordance with at least oneembodiment of the present disclosure;

FIG. 4 illustrates example instructions for dimension matching inaccordance with at least one embodiment of the present disclosure;

FIG. 5 illustrates example instructions for content personalization inaccordance with at least one embodiment of the present disclosure;

FIG. 6 illustrates example feedback in accordance with at least oneembodiment of the present disclosure;

FIG. 7 illustrates example operations for message generation andfeedback reception in accordance with at least one embodiment of thepresent disclosure; and

FIG. 8 illustrates example operations for privacy enforcement vialocalized personalization in accordance with at least one embodiment ofthe present disclosure.

Although the following Detailed Description will proceed with referencebeing made to illustrative embodiments, many alternatives, modificationsand variations thereof will be apparent to those skilled in the art.

DETAILED DESCRIPTION

This disclosure is directed to privacy enforcement via localizedpersonalization. An example device may comprise at least a userinterface to present content. A message may be received into a trustedexecution environment (TEE) situated within the device or remotely, themessage including at least metadata and content. The TEE may determinerelevance of the content to a user based on the metadata and user data.Based on the relevance, the TEE may cause the content to be presented tothe user via the user interface. In one embodiment, the TEE may be ableto personalize the content based on the user data prior to presentation.If the content includes an offer, the TEE may also be able to presentcounteroffers to the user based on user interaction with the content.The TEE may also be able to cause feedback data to be transmitted to atleast the content provider.

In one embodiment, an example device configured for privacy enforcementmay comprise at least a communication module, a user interface moduleand a TEE. The communication module may be to interact with at least acontent provider. The user interface module may be to present content toa user. The TEE may be to receive a message from the content providervia the communication module, the message including at least metadataand content, to determine relevance of the content to the user based onat least one of the metadata and user data and to cause the content tobe presented to the user via the user interface module based on therelevance of the content.

For example, the TEE may be situated in the device or outside of thedevice in at least one computing device. The TEE may comprise a securememory space accessible to only applications verified as safe by theTEE. The metadata may comprise at least public routing data and privatecriteria. In one example implementation, at least the private criteriaare encrypted and the TEE is further to decrypt the private criteria.The private criteria may comprise dimension matching criteria includinginstructions for determining the relevance of the content. The TEE mayfurther be to personalize the content prior to presentation based onpersonalization criteria also included in the private criteria, thepersonalization criteria including instructions for altering the contentbased on the user data. The TEE may further be to cause additionalcontent to be presented via the user interface module based on counteroffer criteria also included in the private criteria, the counter offercriteria including instructions for presenting additional content basedon the interaction between the user and the presented content. Theprivate criteria may also comprise feedback criteria includinginstructions for collecting the feedback data based on at least one ofthe user data and interaction between the user and the presentedcontent. In this regard, the TEE may further be to cause the feedbackdata to be collected based on the interaction and cause the feedbackdata to be transmitted to at least the content provider. The feedbackdata may comprise, for example, at least privacy protected dataresulting from the interaction and sanitized user data, the TEE beingfurther to cause the communication module to transmit the privacyprotected data to the content provider and to transmit the sanitizeduser data to an anonymous data accumulator.

The device may further comprise a data collection module to collect theuser data from at least one of user interaction with the device, sensorsin the device or data sources outside the device. The TEE may further beto cause the user interface module to present a notification informingthe user regarding availability of the content. An example methodconsistent with embodiments of the present disclosure may comprisereceiving a message in a TEE from a content provider, the messageincluding at least metadata and content, determining relevance of thecontent to a user based on at least one of the metadata and user dataand causing the content to be presented to the user based on therelevance of the content.

FIG. 1 illustrates an example system configured for privacy enforcementvia localized personalization in accordance with at least one embodimentof the present disclosure. System 100 may comprise, for example, device102 and content provider 104. Examples of device 102 may include, butare not limited to, a mobile communication device such as a cellularhandset or a smartphone based on the Android® OS, iOS®, Windows® OS,Blackberry® OS, Palm® OS, Symbian® OS, etc., a mobile computing devicesuch as a tablet computer like an iPad®, Surface®, Galaxy Tab®, KindleFire®, etc., an Ultrabook® including a low-power chipset manufactured byIntel Corporation, a netbook, a notebook, a laptop, a palmtop, etc., atypically stationary computing device such as a desktop computer, asmart television, etc. Content provider 104 may be situated remotelyfrom device 102, and may comprise at least one computing deviceaccessible via a local area network (LAN) or a wide area network (WAN)such as the Internet. An example of content provider 104 may include oneor more servers organized in a cloud computing configuration.

System 100 may further comprise, for example, TEE module 106, datacollection module 108, user data module 110, context data module 112 anduser interface module 114. User interface module 114 may be in device102 (e.g., content may be presented to a user of device 102 via userinterface 114). However, as indicated by dashed line 136, modules 106 to112 may be flexibly arranged consistent with the present disclosure. Forexample, while any or all of modules 106 to 112 may be located in device102, it is also possible for any of these modules to be located remotelyfrom device 102 (e.g., supported by at least one server in acloud-computing configuration similar to content provider 104. There areadvantages to both configurations. Having modules 106 to 112 locatedwithin device 102 may improve the security of the data handled by thesemodules (e.g., there is no need to expose data in cloud-based servers,during transmission to device 102, etc.). However, moving thefunctionality associated with modules 106 to 112 to a remote device mayreduce the data processing load on device 102 and allow forimplementation of system 100 using a broader range of devices.

TEE module 106 may be a secure workspace in which known-good programsmay execute, confidential information may be stored in a secure manner,etc. In general, TEE module 106 may comprise a set of computingresources that are secure such that programs executing within TEE module106, and any data associated with the executing programs, are isolated.The programs/data cannot be interfered with or observed during programexecution with the exception that the program may be started or stoppedand the associated data may be inserted or deleted. The insertion ofdata may be unobserved, and thus not interfered with, and any dataleaving TEE module 106 is released in a controlled manner. Consistentwith the present disclosure, at least one known-good program executingwithin TEE module 106 may perform any or all operations disclosed hereinin regard to TEE module 106. In one example implementation, TEE module106 may utilize Software Guard Extensions (SGX) technology developed bythe Intel Corporation. SGX may provide a secure and hardware-encryptedcomputation and storage area inside of the system memory, the contentsof which cannot be deciphered by privileged code or even through theapplication of hardware probes to memory bus. When TEE module 106 isprotected by SGX, embodiments consistent with the present disclosuremake it impossible for an intruder to decipher the contents of TEEmodule 106. Protected data cannot be observed outside of SGX, and thus,is inaccessible outside of SGX.

In an example implementation wherein TEE module 106 resides within SGX,the identity of programs (e.g., based on a cryptographic hashmeasurement of each program's contents) may be signed and stored insideeach program. When the programs are then loaded, the processor verifiesthat the measurement of the program (e.g., as computed by the processor)is identical to the measurement previously embedded inside the program.The signature used to sign the embedded measurement is also verifiablebecause the processor is provided with a public key used to verify thesignature at program load time. This way malware can't tamper with theprogram without also altering its verifiable measurement. Malware alsocannot spoof the signature because the signing key is secure with theprogram's author. Thus, the software may not be read, written to oraltered by any malware. Moreover, data may also be protected in TEEmodule 106. For example, known-good programs in TEE module 106 mayencrypt data such as keys, passwords, licenses, etc. so that onlyverified good programs may decrypt this information. While only one TEEmodule 106 is disclosed in device 102, it is also possible for aplurality of TEE modules 106 to exist. The use of a plurality of TEEmodules 106 may increase security in device 102 in that if one TEEmodule 106 is compromised the security of the remaining separate TEEmodules 106 remains intact.

Data collection module 108 may be configured to collect data regardingthe status of device 102, a user of device 102, an environment in whichthe device is operating, etc. This data may be provided by variousresources including, but not limited to, data stored within the device,sensors in the device, a LAN or WAN like the Internet, etc. For example,data collection module 108 may collect user data including, but notlimited to, data identifying at least one user of device 102, backgroundinformation regarding the at least one user's gender, age, ethnicity,education, residence, employment, interests, marital status, relations(e.g., relatives, friends, business associates, etc.), clubs,affiliations and any other data that may be used to, for example, targetcontent distributed by content provider 104. Data collection module 108may also collect data regarding the context of device 102 includingdevice statistics (e.g., utilization, power level, running and/or loadedapplications, etc.), environmental information regarding current and/orhistorical location data for device 102 (e.g., as determined by GlobalPositioning System (GPS) coordinates, cellular network registration,access points (APs) sensed in proximity to device 102, etc.), otherdevices sensed in proximity to device 102, etc.

User data module 110 may receive entered data 118 from user interfacemodule 114 (e.g., data manually entered by the user, sensed biometricdata, etc.) and collected data 120A from data collection module 108(e.g., collected from local or remote data sources, sensed by sensors indevice 102, etc.). User identification may be important where, forexample, there is more than one user for device 102 (e.g., where device102 may be shared between family members, coworkers, etc.). User datamodule 110 may process received data 118 and 120A to generate user data120. Context data module 112 may receive collected data 120B from datacollection module 108 (e.g., data pertaining to the current condition ofdevice 102, the environment in which device 102 is operating, etc.).Context data module 112 may process data 120B to generate context data124. TEE module 106 may utilize user data 122 and/or context data 124when processing message 116 into personalized content 126. Personalizedcontent may be content delivered to device 102 from content provider 104via message 116 that has been modified based on user data 122 and/orcontext data 124. Personalized context 126 may then be provided to userinterface module 114 for presentation and/or interaction.

User interface module 114 may be capable of more than one mode ofpresentation and/or interaction in regard to personalized content 126.In one embodiment, user interface module 114 may present notification130 to a user of device 102 informing the user that message 116 wasreceived and/or personalized content 126 is available. Notification 130may be a visible or audible notification to the user, and may be assimple as a small indicator on the display of device 102, a modificationto an object already displayed on the display (e.g., superimposing anindicator over an object, changing the appearance of an object, etc.),an audible alert to the user, etc. In one embodiment, Notification 120may automatically or manually (e.g., via user interaction) causepresentation application 128 to be activated in device 102 or selectedfor interaction if already active. It may also be possible fornotification 120 to be presented on device 102 (e.g., a smart phone orother mobile device), which prompts the user to activate presentationapplication 128 on another device (e.g., a more powerful device such astablet computer, laptop computer, etc.). Presentation application 128may be any program capable of presenting personalized content 126including, but not limited to, browser applications, multimediaapplications, a proprietary viewer associated with content provider 104,etc. The user may then interact with personalized content 126 as shownat 132. Content interaction 132 may comprise, for example, the userreading the content and then interacting with user interface module 114to answer questions presented by the content, place purchase orders forgoods described in the content, receive counteroffers if initiallypresented offers are declined, etc. TEE 106 may then provide feedback134 to content provider 104. Feedback 134 may comprise at least theresult of content interaction 132 including, for example, the responsesof the user to queries in personalized content 126, responses tooffers/counteroffers proposed by personalized content 126, metricsregarding the user's interaction with personalized content 126 (e.g.,duration of the interaction, sensed biometric information such as usereye focus on personalized content 126, sensed sounds during theinteraction, etc.). In one embodiment, feedback 126 may further compriseuser data 122 and/or context data 124. This data may be employed bycontent providers 104 for targeting message 116, for optimizing thecontent in message 116, etc. Due to privacy and/or safety concerns, theuser data 122 and/or context data 124 provided in feedback 134 may befiltered and/or sanitized prior to transmission.

At least one benefit that may be realized from system 100 is thecapability for content provider 104 to deliver personalized content 126to a user of device 102 without placing fear into the user about theirpersonal/confidential data. Since the personalization may occur on theterms of the user (e.g., within the device, within a cloud solutionconfigured by the user), the level of security enforcement is totallywithin the user's control. Moreover, content provider 104 may also getfeedback 134, but again this interaction may be controlled entirely bythe user. For example, the user may establish rules dictating whatcategories of data may be divulged to content provider 104, how muchdata, how the data is filtered/sanitized, etc.

FIG. 2 illustrates an example configuration for a device in accordancewith at least one embodiment of the present disclosure. In particular,device 102′ may be able to perform example functionality such asdisclosed in FIG. 1. However, device 102′ is meant only as an example ofequipment usable in embodiments consistent with the present disclosure,and is not meant to limit these various embodiments to any particularmanner of implementation.

Device 102′ may comprise system module 200 to manage device operations.System module 200 may include, for example, processing module 202,memory module 204, power module 206, user interface module 114′ andcommunication interface module 208. Device 102′ may also include atleast communication module 210 and TEE module 106′. While communicationmodule 210 and TEE module 106′ have been shown separately from systemmodule 200, the example implementation of device 102′ has been providedmerely for the sake of explanation herein. Some or all of thefunctionality associated with communication module 210 and/or TEE module106′ may also be incorporated within system module 200. In device 102′,processing module 202 may comprise one or more processors situated inseparate components, or alternatively, may comprise one or moreprocessing cores embodied in a single component (e.g., in aSystem-on-a-Chip (SoC) configuration) and any processor-related supportcircuitry (e.g., bridging interfaces, etc.). Example processors mayinclude, but are not limited to, various x86-based microprocessorsavailable from the Intel Corporation including those in the Pentium,Xeon, Itanium, Celeron, Atom, Core i-series product families, AdvancedRISC (e.g., Reduced Instruction Set Computing) Machine or “ARM”processors, etc. Examples of support circuitry may include chipsets(e.g., Northbridge, Southbridge, etc. available from the IntelCorporation) configured to provide an interface through which processingmodule 202 may interact with other system components that may beoperating at different speeds, on different buses, etc. in device 102′.Some or all of the functionality commonly associated with the supportcircuitry may also be included in the same physical package as theprocessor (e.g., such as in the Sandy Bridge family of processorsavailable from the Intel Corporation).

Processing module 202 may be configured to execute various instructionsin device 102′. Instructions may include program code configured tocause processing module 202 to perform activities related to readingdata, writing data, processing data, formulating data, converting data,transforming data, etc. Information (e.g., instructions, data, etc.) maybe stored in memory module 204. Memory module 204 may comprise randomaccess memory (RAM) and/or read-only memory (ROM) in a fixed orremovable format. RAM may include memory to hold information during theoperation of device 102′ such as, for example, static RAM (SRAM) ordynamic RAM (DRAM). ROM may comprise memories utilizing a BasicInput/output System (BIOS) or Unified Extensible Firmware Interface(UEFI) for performing boot operations, programmable memories such as,for example, electronic programmable ROMs (EPROMS), Flash, etc. Memorymodule 203 may also comprise magnetic memories including, for example,floppy disks, fixed/removable hard drives, etc., electronic memoriesincluding, for example, solid state flash memory (e.g., embeddedmultimedia card (eMMC), etc.), removable cards/sticks (e.g., microstorage devices (uSD), USB, etc.), optical memories including, forexample, compact disc ROM (CD-ROM), digital video disc (DVD), etc.

Power module 206 may include internal power sources (e.g., a battery,fuel cell, etc.) and/or external power sources (e.g., electromechanicalor solar generation, power grid, etc.), and related circuitry configuredto supply device 102′ with the energy needed to operate. User interfacemodule 114′ may include equipment and/or software to allow users tointeract with device 102′ such as, for example, various input mechanisms(e.g., microphones, switches, buttons, knobs, keyboards, speakers,touch-sensitive surfaces, one or more sensors configured to captureimages, video and/or to sense proximity, distance, motion, gestures,orientation, etc.) and various output mechanisms (e.g., speakers,displays, lighted/flashing indicators, electromechanical components forvibration, motion, etc.). The above example equipment associated withuser interface module 114′ may be incorporated within device 102′ and/ormay be coupled to device 102′ via a wired or wireless communicationmedium.

Communication interface module 208 may handle packet routing and othercontrol functions for communication module 210, which may includeresources configured to support wired and/or wireless communications.Wired communications may include serial and parallel wired mediums suchas, for example, Ethernet, Universal Serial Bus (USB), Firewire, Digital

Video Interface (DVI), High-Definition Multimedia Interface (HDMI), etc.Wireless communications may include, for example, close-proximitywireless mediums (e.g., radio frequency (RF) such as based on the NearField Communications (NFC) standard, infrared (IR), optical characterrecognition (OCR), magnetic character sensing, etc.), short-rangewireless mediums (e.g., Bluetooth, WLAN, Wi-Fi, etc.) and long rangewireless mediums (e.g., cellular wide-area radio communicationtechnology, satellite-based communications, etc.). In one embodiment,communication interface module 208 may prevent interference betweendifferent active wireless links in communication module 210. Inperforming this function, communication interface module 208 mayschedule activities for communication module 210 based on, for example,the relative priority of messages awaiting transmission.

In the embodiment illustrated in FIG. 2, TEE module 106′ may interactwith at least processing module 202, memory module 204 and communicationmodule 210. For example, Processing module 202 and/or memory module mayperform the operations associated with data collection module 108, userdata module 110 and context data module 112. Collected data 120A and Bmay be processed into user data 122 and/or context data 124 byprocessing module 202 that may be stored in memory module 204. Message116 may be received into TEE module 106′ via communication module 210,and at least one application 128′ in TEE module 106′ may generatepersonalized content 126 by personalizing the content in message 116based on context data 124 by processing module 202 stored in memorymodule 204. Personalized content 126 may then be stored in memory module204 in preparation for presentation to a user of device 102′ (e.g.,after the user receives notification 130 as to the availability ofpersonalized content 126 triggered, for example by TEE module 106′).

FIG. 3 illustrates an example message in accordance with at least oneembodiment of the present disclosure. In one embodiment, message 116′may comprise at least metadata 300 and content 302. Content 302 maycomprise text, images, video, audio, user interface objects, etc. to bepresented to a user of device 102. Metadata 300 may comprise data forrouting message 116′ and/or data regarding how functionality should becarried out with respect to content 302 and/or collecting data forfeedback 134. A more detailed example of metadata 300 is illustrated at300′ in FIG. 3. Public routing data 304 in metadata 300′ may comprisegeneral information for getting message 116′ to device 102. For example,public routing data 204 may comprise a broad category of devices toreceive message 116′ such as, for example, a certain type of device,devices communicating on a certain network, devices associated withusers in a broad category defined by gender, profession, etc. Inpractice, it may be beneficial for content provider 104 to allow nothingmeaningful to be gained from public routing data 304 in regard to thestrategy for disseminating content 302.

In one embodiment, at least some of metadata 300′ may be encrypted in amanner that only device 102 may decrypt. Traditionally, TEE module 106would be required to produce a public key compatible with the key thecontent provider 104 used to encrypt private criteria 306. Thistraditional approach has the problem of the public key uniquelyidentifying device 102 to at least content provider 104 (and likewisethe users associated with device 102, which may be undesirable for theseusers in the instance that content provider 104 is an advertiser ormarketer). Moreover, private criteria 306 would have to becustomized/re-encrypted for each device 102. Such customization mayprove to be a waste of resources as many messages 116 may be filteredout before presentation by TEE module 106′ based on public routing data304. Alternatively, when TEE module 106 interacts with content provider104 (and/or with anonymous data accumulator 600 as disclosed in FIG. 6),it may employ an Enhanced Privacy ID (EPID) signed SIGMA (Sign-and Mac)communication session. The EPID signed SIGMA session facilitatesanonymous interaction between device 102 and at least content provider104 during which TEE module 106 may transmit dimension data (e.g.,“sanitized” user data devoid of data identifying the corresponding user)and may then receive at least one key for decrypting private criteria306. The decryption keys may be symmetric (e.g., may be based on theAdvanced Encryption Standard (AES), Rivest Cipher 4 (RC4), etc . . . )or asymmetric public keys wherein the private key may wrap a symmetricpublic key that is then delivered to TEE module 106. Protecting publickeys within private keys is counter to the traditional use of asymmetricpublic keys for encryption, not decryption. Keeping public keys secretmay help to prevent Man-In-The-Middle (MITM) attacks from interceptingthe public keys.

Private criteria 306 may be encrypted to, for example, preventcompetitors of content provider 104 from determining proprietaryinformation with respect to their strategy for disseminating content302. For example, content provider 104 may market products to the userof device 102, and a strategy for marketing these products may bereadily determinable from private criteria 306. Thus, content provider104 may only participate in system 100 if there is some assurance thattheir marketing strategy is kept secret. The data in private criteria306 may perform a variety of functionality, examples of which arepresented in FIG. 3. For example, dimension matching criteria 308 mayfurther expand upon the broad categories defined in public routing data304 to determine if content 302 is applicable to the current user ofdevice 102. Dimension matching criteria 308 may include instructions,rules, etc. that further refine whether content 302 should be presentedto the current user of device 102. Example code (e.g., a set ofinstructions) that may be included in dimension matching criteria 308 isdisclosed in FIG. 4. Dimension matching example 400 is written inExtensible Access Control Markup Language (XACML), but may also becomposed using other basic encoding rules (BER) depending upon, forexample, the requirements/characteristics of the particularimplementation. Examples of other BERs may include JavaScript ObjectNotation (JSON), Abstract Syntax Notation One (ASN.1), etc. Example 400defines an example policy (e.g., a user is within a certain age range,has a certain level of education, already uses a certain product, has acertain familial makeup, has manually configured user preferences indevice 102 to allow content 302 to be presented, etc.) and may thenquery whether the current user of the device satisfies this policy(e.g., based on user data 110 and/or context data 112). If the currentuser of the device fits within the polices defined in dimension matchingcriteria 308, then a determination may be made that the presentation ofcontent 302 is appropriate.

If it is determined that content 302 is appropriate for the current userof device 102 based on dimension matching criteria 308, thenpersonalization criteria 310 may describe how to personalize content 302for the current user of device 102 (e.g., based on user data 110,context data 112, etc.). For example, personalization criteria 310 maydefine areas of content 302 that may be altered to reflect the user, theperspective of the user, the location of the device/user, etc. Examplecode corresponding to functionality that may be performed bypersonalization criteria 310 is disclosed in FIG. 5. Personalizationexample 500 comprises example XACML code to insert the title (e.g., Mr.,Ms., Mrs., etc.) and the name of the user of device 102 into content302. In this manner, content 302 may appeal more to the current user,which may help to better maintain the attention of the user of device102.

Counter offer criteria 312 may be optional in private criteria 306 inthat is may only be required in certain scenarios (e.g., when content302 comprises an advertisement including at least one offer to which theuser of device 102 may respond). Counter offer criteria 312 may compriseat least one other offer that may be presented to the user if an offerincluded in content 302 is declined, not of interest to the user, etc.Counter offer criteria 314 may present counter offers to the userautomatically (e.g., after an initial offer is declined during contentinteraction 132). The number, type, etc. of counter offers available toa user may depend on the particular implementation of system 100.Regardless of whether an offer or counter offer is accepted by the user,feedback criteria module 314 may include instructions as to how togenerate feedback 134. In one embodiment, feedback 134 may comprise dataderived from content interaction 132, which may then be transmitted backto content provider 104. Data in feedback 134 may comprise theidentification of the user, user answers to questions posed duringcontent interaction 132, user acceptance/refusal information regardingoffers made during content interaction 132, user payment/deliveryinformation if an offer was accepted, etc. In the same or a differentembodiment, feedback 134 may also comprise user data 110 and/or contextdata 112 for use by content provider 104 for determining theattractiveness, effectiveness, etc. of content 302. A more detailedexample disclosing how feedback 134 may be provided to ensure that theprivacy of the user is protected is disclosed in FIG. 6.

FIG. 6 illustrates example feedback in accordance with at least oneembodiment of the present disclosure. In one embodiment, feedback 134′may be provided to different entities that participate in the contentcreation process. Anonymous data accumulator 600 may be part of contentprovider 104 or may be a totally independent entity. Anonymous dataaccumulator 600 may comprise at least one computing device (e.g., aserver) accessible via a LAN or WAN like the Internet (e.g., in acloud-computing configuration) to accumulate data from a variety ofdevices 102. Anonymous data accumulator 600 may process the collecteddata to determine statistics, distributions, trends, etc. within thedata, and may then provide the processed data (e.g., targeting data 602)to content provider 104. Content provider 104 may utilize targeting data602 to, for example, improve existing content 302, to generate newcontent 302, etc.

Given the example presented in FIG. 4, feedback 134′ may comprise atleast two data flows. Privacy protected telemetry data 604 may include,for example, the results of content interaction 132. It may be importantto deliver this information directly to content provider 104 as it maycontain offer acceptance information regarding an offer (or counteroffer) that was presented in content 302. Privacy protected telemetrydata 604 may be filtered by TEE module 106 prior to transmission toensure only necessary data is being provided to content provider 104.Filtering in TEE module 106 may help to ensure that any data intended tobe kept private by the user is filtered in a safe environment (e.g., notsusceptible to compromise from other programs, outside influences, etc.)prior to privacy protected telemetry data 604 being sent. Alternatively,privacy protected telemetry data 604 may be delivered to contentprovider 104 via an anonymous interaction protocol such as an EPIDsigned SIGMA session as described above with respect to FIG. 3.Sanitized user data 606 may comprise user data 110 and/or context data112 (e.g., user gender, age, location, familial makeup, profession,interests, etc.) that may be provided to anonymous data accumulator 600in a similar manner to privacy protected telemetry data 604 in that TEEmodule 106 may remove private/confidential data prior to transmission orvia an anonymous interaction protocol. In one embodiment, the rules fordetermining the data that may be transmitted in privacy protectedtelemetry data 604 and/or sanitized user data 606 may be set by themanufacturer of device 102, may be configured by users of device 102(e.g., via user interface module 114), etc.

FIG. 7 illustrates example operations for message generation andfeedback reception in accordance with at least one embodiment of thepresent disclosure. The operations shown in FIG. 7 may be performed by,for example, a content provider. In operation 700 the content providermay identify target parameter for content (e.g., to be transmitted totarget users in a message). Private criteria may then be determinedbased at least on the target parameters in operation 702. Privatecriteria may include instructions that, in view of the strategy of thecontent provider, determine whether to present the content to a user,customize the content, present counter offers, collect data etc. Thecontent provider may then proceed to generate metadata based at least onthe private criteria in operation 704. The metadata generated inoperation 704 may be combined with the content to generate a message inoperation 706 that may then be transmitted in operation 708 (e.g., basedon public routing data included in the message. Feedback may then bereceived in operation 710 (e.g., from the devices to which the messagewas transmitted, for a separate entity such as an anonymous dataaccumulator that collects feedback from the devices, etc.).

FIG. 8 illustrates example operations for privacy enforcement vialocalized personalization in accordance with at least one embodiment ofthe present disclosure. The operations shown in FIG. 8 may be performedby, for example, devices that receive messages from content providers,at least one computing device accessible via a LAN or WAN like theInternet (e.g., in a cloud-computing configuration), etc. A message maybe received in a TEE module in operation 800 and any private data in themessage may be decrypted in operation 802 (e.g., operation 802 may onlybe necessary if the message includes encrypted private criteria). Inoperation 804 dimension matching may be performed to determine ifcontent in the message should be presented to the user (e.g., based onat least one policy encoded within the private criteria). Adetermination may be made in operation 806 as to whether dimensionmatching was achieved between the user and the content. If in operation806 it is determined that the dimension matching failed, then inoperation 808 presentation of the content may be aborted.

If in operation 806 it is determined that dimension matching wassuccessful (e.g., that the content should be presented), then inoperation 810 the content may be customized based on at least one ofuser data or context data. A determination may then be made in operation812 as to whether the device of the user is enabled for notificationregarding the availability of the content. If it is determined inoperation 812 that content notification is enabled, then in operation814 the notification may be presented on the device. A determination inoperation 812 that content notification is not enabled in the device oroperation 814 may be followed by operation 816 wherein a determinationmay be made as to whether the device is enabled for user interactionwith the content. If it is determined that the device is not enabled foruser interaction with the content (e.g., an application for interactingwith the content is not active or may not be installed), then inoperation 818 the content may optionally be stored for laterpresentation (e.g., if the device supports this functionality) andpresentation of the content may be aborted in operation 808. If inoperation 816 it is determined that the device is enabled for userinteraction with the content, then the content may be presented to theuser in operation 820 (e.g., via a user interface in the device).

Operations 822 to 824 in FIG. 8 may be optional as they may only beapplicable when the content presented to the user in operation 820comprises an offer. In operation 822 a determination may be made as towhether an offer presented in the content is accepted by the user. If itis determined in operation 822 that the offer was not accepted by theuser, then in operation 824 any counter offers included in the messagemay then be presented to the user. A determination in operation 822 thatthe offer was accepted or operation 824 may then be followed byoperation 826 wherein feedback may be prepared for transmission to atleast the content provider (e.g., and possibly other entities such as ananonymous data accumulator, etc.).

Feedback may include, for example, the results of the user interactionwith the content, data about the user, about the context of theuser/device, etc. In operation 828 the feedback may be analyzed by theTEE module to determine if any user data in the feedback is privateand/or confidential. A determination may then be made in operation 830as to whether the feedback comprises private and/or confidential userdata. If in operation 830 it is determined that the feedback comprisesprivate and/or confidential user data, then in operation 834 thefeedback may be filtered and/or sanitized to remove private and/orconfidential user data. In instances where the feedback includes a largeamount of data, an alternative option may be to establish acommunication session that links the TEE module to the content provider,the target data accumulator, etc. via an anonymous interaction protocolsuch as an EPID signed SIGMA communication session that allows data tobe transmitted without identifying the source of the data. Adetermination in operation 830 that the feedback does not compriseprivate and/or confidential information or operation 834 may be followedby transmission of the feedback in operation 832.

While FIGS. 7 and 8 illustrate operations according to differentembodiments, it is to be understood that not all of the operationsdepicted in FIGS. 7 and 8 are necessary for other embodiments. Indeed,it is fully contemplated herein that in other embodiments of the presentdisclosure, the operations depicted in FIGS. 7 and 8, and/or otheroperations described herein, may be combined in a manner notspecifically shown in any of the drawings, but still fully consistentwith the present disclosure. Thus, claims directed to features and/oroperations that are not exactly shown in one drawing are deemed withinthe scope and content of the present disclosure.

As used in this application and in the claims, a list of items joined bythe term “and/or” can mean any combination of the listed items. Forexample, the phrase “A, B and/or C” can mean A; B; C; A and B; A and C;B and C; or A, B and C. As used in this application and in the claims, alist of items joined by the term “at least one of” can mean anycombination of the listed terms. For example, the phrases “at least oneof A, B or C” can mean A; B; C; A and B; A and C; B and C; or A, B andC.

As used in any embodiment herein, the term “module” may refer tosoftware, firmware and/or circuitry configured to perform any of theaforementioned operations. Software may be embodied as a softwarepackage, code, instructions, instruction sets and/or data recorded onnon-transitory computer readable storage mediums. Firmware may beembodied as code, instructions or instruction sets and/or data that arehard-coded (e.g., nonvolatile) in memory devices. “Circuitry”, as usedin any embodiment herein, may comprise, for example, singly or in anycombination, hardwired circuitry, programmable circuitry such ascomputer processors comprising one or more individual instructionprocessing cores, state machine circuitry, and/or firmware that storesinstructions executed by programmable circuitry. The modules may,collectively or individually, be embodied as circuitry that forms partof a larger system, for example, an integrated circuit (IC), systemon-chip (SoC), desktop computers, laptop computers, tablet computers,servers, smartphones, etc.

Any of the operations described herein may be implemented in a systemthat includes one or more storage mediums (e.g., non-transitory storagemediums) having stored thereon, individually or in combination,instructions that when executed by one or more processors perform themethods. Here, the processor may include, for example, a server CPU, amobile device CPU, and/or other programmable circuitry. Also, it isintended that operations described herein may be distributed across aplurality of physical devices, such as processing structures at morethan one different physical location. The storage medium may include anytype of tangible medium, for example, any type of disk including harddisks, floppy disks, optical disks, compact disk read-only memories(CD-ROMs), compact disk rewritables (CD-RWs), and magneto-optical disks,semiconductor devices such as read-only memories (ROMs), random accessmemories (RAMs) such as dynamic and static RAMs, erasable programmableread-only memories (EPROMs), electrically erasable programmableread-only memories (EEPROMs), flash memories, Solid State Disks (SSDs),embedded multimedia cards (eMMCs), secure digital input/output (SDIO)cards, magnetic or optical cards, or any type of media suitable forstoring electronic instructions. Other embodiments may be implemented assoftware modules executed by a programmable control device.

Thus, this disclosure is directed to privacy enforcement via localizedpersonalization. An example device may comprise at least a userinterface to present content. A message may be received into a trustedexecution environment (TEE) situated within the device or remotely, themessage including at least metadata and content. The TEE may determinerelevance of the content to a user based on the metadata and user data.Based on the relevance, the TEE may cause the content to be presented tothe user via the user interface. In one embodiment, the TEE may be ableto personalize the content based on the user data prior to presentation.If the content includes an offer, the TEE may also be able to presentcounteroffers to the user based on user interaction with the content.The TEE may also be able to cause feedback data to be transmitted to atleast the content provider.

The following examples pertain to further embodiments. The followingexamples of the present disclosure may comprise subject material such asa device, a method, at least one machine-readable medium for storinginstructions that when executed cause a machine to perform acts based onthe method, means for performing acts based on the method and/or asystem for privacy enforcement via localized personalization, asprovided below.

EXAMPLE 1

According to this example there is provided a device for privacyenforcement. The device may comprise at least a communication module tointeract with a content provider, a user interface module to presentcontent to a user and a trusted execution environment (TEE) to receive amessage from the content provider via the communication module, themessage including at least metadata and content, determine relevance ofthe content to the user based on at least one of the metadata and userdata and cause the content to be presented to the user via the userinterface module based on the relevance of the content.

EXAMPLE 2

This example includes the elements of example 1, wherein the TEE issituated in the device or outside of the device in at least onecomputing device.

EXAMPLE 3

This example includes the elements of any of examples 1 to 2, whereinthe TEE comprises a secure memory space accessible to only applicationsverified as safe by the TEE.

EXAMPLE 4

This example includes the elements of any of examples 1 to 2, whereinthe metadata comprises at least public routing data and privatecriteria.

EXAMPLE 5

This example includes the elements of example 4, wherein at least theprivate criteria are encrypted and the TEE is further to decrypt theprivate criteria.

EXAMPLE 6

This example includes the elements of example 4, wherein the privatecriteria are formulated using basic encoding rules including at leastone of Extensible Access Control Markup Language (XACML), JavaScriptObject Notation (JSON) or Abstract Syntax Notation One (ASN.1).

EXAMPLE 7

This example includes the elements of example 4, wherein the privatecriteria comprises dimension matching criteria including instructionsfor determining the relevance of the content.

EXAMPLE 8

This example includes the elements of example 7, wherein the dimensionmatching criteria comprises considering any user preferences regardingthe presentation of content that are configured in the device.

EXAMPLE 9

This example includes the elements of example 4, wherein the TEE isfurther to personalize the content prior to presentation based onpersonalization criteria included in the private criteria, thepersonalization criteria including instructions for altering the contentbased on the user data.

EXAMPLE 10

This example includes the elements of example 4, wherein the TEE isfurther to cause additional content to be presented via the userinterface module based on counter offer criteria included in the privatecriteria, the counter offer criteria including instructions forpresenting additional content based on the interaction between the userand the presented content.

EXAMPLE 11

This example includes the elements of example 4, wherein the privatecriteria comprises feedback criteria including instructions forcollecting the feedback data based on at least one of the user data andinteraction between the user and the presented content.

EXAMPLE 12

This example includes the elements of example 11, wherein the TEE isfurther to cause the feedback data to be collected based on theinteraction and to cause the feedback data to be transmitted to at leastthe content provider.

EXAMPLE 13

This example includes the elements of example 11, wherein the feedbackdata comprises at least privacy protected data resulting from theinteraction and sanitized user data, the TEE being further to cause thecommunication module to transmit the privacy protected data to thecontent provider and to transmit the sanitized user data to an anonymousdata accumulator.

EXAMPLE 14

This example includes the elements of example 13, wherein at least oneof the privacy protected data or the sanitized user data may betransmitted using an anonymous interaction protocol.

EXAMPLE 15

This example includes the elements of any of examples 1 to 2, furthercomprising a data collection module to collect the user data from atleast one of user interaction with the device, sensors in the device ordata sources outside of the device.

EXAMPLE 16

This example includes the elements of any of examples 1 to 2, whereinthe TEE is further to cause the user interface module to present anotification informing the user regarding availability of the content.

EXAMPLE 17

This example includes the elements of example 16, wherein thenotification is at least one of an indicator or icon displayed on thedevice or a sound generated by the device.

EXAMPLE 18

This example includes the elements of any of examples 1 to 2, whereinthe TEE module is further to cause the message to be stored for laterpresentation by the device.

EXAMPLE 19

This example includes the elements of any of examples 1 to 2, whereinthe metadata comprises at least public routing data and encryptedprivate criteria, the TEE being further to decrypted the privatecriteria.

EXAMPLE 20

This example includes the elements of example 19, wherein the privatecriteria comprises feedback criteria including instructions forcollecting the feedback data based on at least one of the user data andinteraction between the user and the presented content, the TEE beingfurther to cause the feedback data to be collected based on theinteraction and to cause the feedback data to be transmitted to at leastthe content provider.

EXAMPLE 21

According to this example there is provided a method for privacyenforcement. The method may comprise receiving a message in a trustedexecution environment (TEE) from a content provider, the messageincluding at least metadata and content, determining relevance of thecontent to a user based on at least one of the metadata and user dataand causing the content to be presented to the user based on therelevance of the content.

EXAMPLE 22

This example includes the elements of example 21, wherein the metadatacomprises at least public routing data and private criteria.

EXAMPLE 23

This example includes the elements of example 22, wherein at least theprivate criteria are encrypted and the method further comprisesdecrypting the private criteria.

EXAMPLE 24

This example includes the elements of example 23, wherein the privatecriteria are formulated using basic encoding rules including at leastone of Extensible Access Control Markup Language (XACML), JavaScriptObject Notation (JSON) or Abstract Syntax Notation One (ASN.1).

EXAMPLE 25

This example includes the elements of any of examples 22 to 24, whereinthe private criteria comprises dimension matching criteria includinginstructions for determining the relevance of the content.

EXAMPLE 26

This example includes the elements of example 25, wherein the dimensionmatching criteria comprises considering any user preferences regardingthe presentation of content that are configured in the device.

EXAMPLE 27

This example includes the elements of any of examples 22 to 24, andfurther comprises personalizing the content prior to presentation basedon personalization criteria included in the private criteria, thepersonalization criteria including instructions for altering the contentbased on the user data.

EXAMPLE 28

This example includes the elements of any of examples 22 to 24, andfurther comprises causing additional content to be presented based oncounter offer criteria included in the private criteria, the counteroffer criteria including instructions for presenting additional contentbased on the interaction between the user and the presented content.

EXAMPLE 29

This example includes the elements of any of examples 22 to 24, whereinthe private criteria comprises feedback criteria including instructionsfor collecting feedback data based on at least one of the user data andinteraction between the user and the presented content.

EXAMPLE 30

This example includes the elements of example 29, and further comprisescausing the feedback data to be collected based on the interaction andcausing the feedback data to be transmitted to at least the contentprovider.

EXAMPLE 31

This example includes the elements of example 29, wherein the feedbackdata comprises at least privacy protected data resulting from theinteraction and sanitized user data, the method further comprisingcausing the privacy protected data to be transmitted to the contentprovider and the sanitized user data to be transmitted to an anonymousdata accumulator.

EXAMPLE 32

This example includes the elements of example 31, wherein at least oneof the privacy protected data or the sanitized user data may betransmitted using an anonymous interaction protocol.

EXAMPLE 33

This example includes the elements of any of examples 21 to 24, andfurther comprises collecting the user data from at least one of userinteraction, sensors or data sources outside the device.

EXAMPLE 34

This example includes the elements of any of examples 21 to 24, andfurther comprises causing a notification informing the user regardingavailability of the content to be presented.

EXAMPLE 35

This example includes the elements of example 34, wherein thenotification is at least one of an indicator or icon displayed on thedevice or a sound generated by the device.

EXAMPLE 36

This example includes the elements of any of examples 21 to 24, whereinthe metadata comprises at least public routing data and encryptedprivate criteria, the method further comprising decrypting the privatecriteria.

EXAMPLE 37

This example includes the elements of example 36, wherein the privatecriteria comprises feedback criteria including instructions forcollecting feedback data based on at least one of the user data andinteraction between the user and the presented content, the methodfurther comprising causing the feedback data to be collected based onthe interaction; and causing the feedback data to be transmitted to atleast the content provider.

EXAMPLE 38

According to this example there is provided a system including at leastone device, the system being arranged to perform the method of any ofthe above examples 21 to 37.

EXAMPLE 39

According to this example there is provided a chipset arranged toperform the method of any of the above examples 21 to 37.

EXAMPLE 40

According to this example there is provided at least one machinereadable medium comprising a plurality of instructions that, in responseto be being executed on a computing device, cause the computing deviceto carry out the method according to any of the above examples 21 to 37.

EXAMPLE 41

According to this example there is provided at least one deviceconfigured for privacy enforcement via localized personalization, thedevice being arranged to perform the method of any of the above examples21 to 37.

EXAMPLE 42

According to this example there is provided a system for privacyenforcement. The system may comprise means for receiving a message in atrusted execution environment (TEE) from a content provider, the messageincluding at least metadata and content, means for determining relevanceof the content to a user based on at least one of the metadata and userdata and means for causing the content to be presented to the user basedon the relevance of the content.

EXAMPLE 43

This example includes the elements of example 42, wherein the metadatacomprises at least public routing data and encrypted private criteria,the method further comprising decrypting the private criteria.

EXAMPLE 44

This example includes the elements of example 43, wherein the privatecriteria comprises dimension matching criteria including instructionsfor determining the relevance of the content.

EXAMPLE 45

This example includes the elements of any of examples 43 to 44, andfurther comprises means for personalizing the content prior topresentation based on personalization criteria included in the privatecriteria, the personalization criteria including instructions foraltering the content based on the user data.

EXAMPLE 46

This example includes the elements of any of examples 43 to 44, andfurther comprises means for causing additional content to be presentedbased on counter offer criteria included in the private criteria, thecounter offer criteria including instructions for presenting additionalcontent based on the interaction between the user and the presentedcontent.

EXAMPLE 47

This example includes the elements of any of examples 43 to 44, whereinthe private criteria comprises feedback criteria including instructionsfor collecting feedback data based on at least one of the user data andinteraction between the user and the presented content, the systemfurther comprising means for causing the feedback data to be collectedbased on the interaction and means for causing the feedback data to betransmitted to at least the content provider.

EXAMPLE 48

This example includes the elements of example 47, wherein the feedbackdata comprises at least privacy protected data resulting from theinteraction and sanitized user data, the system further comprising meansfor causing the privacy protected data to be transmitted to the contentprovider and the sanitized user data to be transmitted to an anonymousdata accumulator.

EXAMPLE 49

This example includes the elements of example 42, and further comprisesmeans for causing a notification informing the user regardingavailability of the content to be presented.

The terms and expressions which have been employed herein are used asterms of description and not of limitation, and there is no intention,in the use of such terms and expressions, of excluding any equivalentsof the features shown and described (or portions thereof), and it isrecognized that various modifications are possible within the scope ofthe claims. Accordingly, the claims are intended to cover all suchequivalents.

What is claimed:
 1. A device configured for privacy enforcement,comprising: a communication module to interact with at least a contentprovider; a user interface module to present content to a user; and atrusted execution environment (TEE) to: receive a message from thecontent provider via the communication module, the message including atleast metadata and content; determine relevance of the content to theuser based on at least one of the metadata and user data; and cause thecontent to be presented to the user via the user interface module basedon the relevance of the content.